System Center Essentials 2007
Although limited to managing
500 client computers and 30 servers, SCE 2007 provides more features for
the deployment of software updates than WSUS 3.0 SP1 does. The primary
difference between the products is that you can also use SCE 2007 to
deploy software updates to non-Microsoft products. SCE 2007 provides
advanced update distribution control and scheduling flexibility and
basic compliance-checking functionality and inventory management.
Although SCE 2007 functions as much more than as a platform for
deploying software updates, such as providing health reports and
software and hardware inventory, this lesson discusses the update
functionality in particular. Only SCE 2007 SP1 or later can be installed
on a computer running Windows Server 2008.
Unlike WSUS 3.0 SP1,
SCE 2007 SP1 is not a free add-on to Windows Server 2008; a
nonevaluation version must be purchased from Microsoft when permanently
deployed in a production environment. SCE 2008 stores configuration data
in a Microsoft SQL Server database. It can either use SQL Server
Express, which you can install during the SCE 2007 installation process,
or store this data in a separate SQL Server 2005 SP2 or SQL Server 2008
database. The SQL Server 2005 SP2 or SQL Server 2008 database does not
need to be hosted on the same server as the other SCE 2007 components,
and all SCE 2007, including the database, can be installed on a computer
hosting the Active Directory Domain Services (AD DS) role.
SCE offers the following:
Update management for Microsoft and third-party applications and devices.
Software deployment of MSI and EXE installed software packages, including third-party applications and Office 2007.
Hardware
and software inventory with attributes collected for items such as
available disk space, RAM usage, and installed applications with version
numbers.
SCE 2007 interfaces
with client agent software that installs during the SCE 2007 discovery
process. SCE discovery involves the SCE 2007 server detecting all
computers on the network. When you run the discovery process, you select
which of the detected computers the SCE 2007 server will manage. The
user account you use to perform the SCE discovery process must have
administrative rights on all computers that the SCE 2007 server will
manage. After you select a computer for SCE 2007 to manage, the agent
software is automatically deployed to that computer.
SCE 2007 Software Update Configuration
The SCE 2007 software
update process is similar to the WSUS 3.0 SP1 software update process,
and SCE 2007 SP1 is built on top of WSUS 3.0 SP1. The SCE 2007 SP1 setup
process enables you to migrate WSUS 3.0 SP1 settings so that you retain
existing computer groups and software update approvals when moving to
the new software update platform. As with WSUS 3.0 SP1, you can use
computer groups and approval rules with SCE 2007 to stagger and automate
the deployment of updates. The biggest difference between the two
platforms is that you can use SCE 2007 to deploy updates and service
packs to third-party applications. This functionality is not available
in WSUS 3.0 SP1.
As also with WSUS 3.0
SP1, the source of Microsoft-related SCE 2007 updates can be either the
local SCE 2007 server or Microsoft Update. SCE 2007 can use a local
source to deploy updates only for third-party applications. When
deploying updates to third-party applications, you run the New Update
Wizard to create an update package. When the update package is created,
you select the computer groups to which the update package will be
deployed.
SCE 2007 in the Enterprise
When considering SCE 2007 as a software update solution in an enterprise environment, remember the following facts:
SCE 2007 can provide
software updates to a maximum of 30 servers and 500 client computers.
Most enterprise environments have more computers than this, which might
necessitate multiple SCE 2007 servers or mean that you will need to
deploy System Center Configuration Manager 2007 if your organization
requires advanced software update functionality.
You
can install only one SCE 2007 server in an Active Directory domain. It
is possible to have multiple SCE 2007 servers in an Active Directory
forest as long as there is only one SCE 2007 server per domain. If the
domains in your organization all have fewer than 500 clients and 30
servers, SCE 2007 is a viable software update platform.
You cannot use SCE 2007 in a workgroup environment. All SCE 2007 clients must be members of the same Active Directory forest.
SCE
2007 cannot function as part of a WSUS hierarchy. You can deploy WSUS
alongside SCE 2007, but the two software update platforms do not
directly interoperate.
You
can use SCE 2007 to provide software updates to computers in different
domains from the SCE 2007 server as long as these computers are in the
same Active Directory forest, and the 500-client, 30-server limit has
not been reached.
You cannot use a single SCE 2007 server as a software update provider for computers in different Active Directory forests.
SCE 2007 works
very well as a software update solution in an organization that has a
single site and fewer than 500 client computers and 30 server computers.
SCE 2007 is not an optimal solution for an organization that has
multiple sites connected by WAN links. This is because pushing software
updates across WAN links might flood those links with traffic. As
mentioned earlier, you cannot deploy SCE 2007 as part of a hierarchy,
and you cannot deploy multiple SCE 2007 servers within the same domain.
System Center Configuration Manager 2007
System Center
Configuration Manager (SCCM) 2007 provides a software update solution
for enterprise-sized environments that exceed the 500-client, 30-server
capacity of SCE 2007. As with SCE 2007, an organization must purchase
SCCM 2007 prior to deploying the product permanently as a software
update solution. SCCM 2007 does not ship with its own SQL Server
database, and you must deploy and configure SQL Server 2005 SP1 or SQL
Server 2008 in your environment prior to deploying SCCM 2007. Only SCCM
2007 SP1 or later can be deployed on a computer running Windows Server
2008. Although you can also use SCCM 2007 to deploy operating systems
and distribute software, the coverage in this lesson concentrates on the
software update deployment and management features of the product.
Like SCE 2007, SCCM 2007
can publish software updates for third-party products. Unlike SCE 2007,
SCCM 2007 can also use hierarchies, with primary sites, secondary sites,
parent sites, child sites, and central sites. All sites in a hierarchy
must be part of the same Active Directory forest. Each site requires one site server running SCCM 2007. Each site type has the following properties:
Primary site
This is the first SCCM 2007 site. It stores the SCCM 2007 data for
itself and for all sites below it in the hierarchy in a SQL Server
database.
Secondary site
This site has no local SQL Server database. It is attached to the
primary site and administered from the primary site. Secondary sites
require no additional SCCM 2007 license. Secondary sites cannot have
other sites below them in the hierarchy.
Parent sites This kind of site has other sites attached to it in a hierarchy.
Child sites A child site is attached to a site above it in the hierarchy. A child site can be either a primary site or a secondary site.
Central site Central sites have no parent sites. These sites are sometimes called standalone sites.
SCCM 2007 sites host
software update points. Software update points distribute software
updates to computers in the organization. WSUS 3.0 SP1 must be installed
on a computer running Windows Server 2008 before it can be configured
as an SCCM 2007 software update point. When configured as a software
update point, you perform all management tasks by using the SCCM 2007
console rather than by the original WSUS administration tools.
Practice: Windows Server 2008 Software Update Infrastructure
In this practice, you
will install two software update solutions. In the first exercise, you
will deploy Windows Server Update Services 3.0 SP1 on server Glasgow. In
the second exercise, you will work with an evaluation virtual hard disk
(VHD) of SCE 2007.
Before beginning Exercise 1, “Install WSUS 3.0 SP1 on Windows Server 2008,” you must perform the following tasks:
Before beginning Exercise 2, “SCE 2007 VHD,” you must perform the following tasks:
▸ Exercise 1 Install WSUS 3.0 SP1 on Windows Server 2008
In this practice, you
will install WSUS 3.0 SP1 on Windows Server 2008. You will configure
this installation so that updates are stored on the Microsoft Update
servers. This practice should be considered optional because it requires
Internet access. You can configure server Glasgow to access the
Internet by adding a second network card or by adding a virtual network
card and configuring Virtual Machine network settings appropriately.
This practice also assumes that you have not installed IIS on server
Glasgow. If IIS has been installed, use the Add Role Services
functionality to add the additional required components listed in step 4
instead of performing step 3.
1. | Log on to server Glasgow using the Kim_Akers user account.
|
2. | Install Report Viewer on server Glasgow.
|
3. | Use
the Server Manager console to add the Web Server (IIS) role. Add any
required features. Ensure that the ASP.NET, Windows Authentication, and
IIS 6 Metabase Compatibility options are selected.
|
4. | Verify that the features listed in the Confirm Installation Selections dialog box match those shown in Figure 4, and then click Install. When the installation process completes, click Close.
|
5. | Double-click
the installation file you downloaded to start the WSUS 3.0 SP1 setup
process. Install WSUS 3.0 SP1 with the following configurations:
Complete a full server installation, including Administration Console. Do not store updates locally. Install the Windows Internal Database locally, as shown in Figure 5.
Use the existing IIS Default Web Site.
The Windows Server Update Services Configuration Wizard
automatically starts when the installation of WSUS 3.0 SP1 is complete.
|
6. | If your Windows Server 2008 computer does not have a connection to the Internet, click Cancel at this point.
|
7. | On the Choose Upstream Server page, shown in Figure 6, select Synchronize From Microsoft Update.
|
8. | Unless your organization uses a proxy server that requires authentication, you do not need to specify a proxy server.
|
9. | On
the Connect To Upstream Server page, click Start Connecting to contact
Microsoft Update to determine the type of updates available, the
products that can be updated, and the available languages.
|
10. | On the Choose Products page shown in Figure 7, select the All Products check box. On the Choose Classifications page, select the All Classifications check box.
|
11. | On the Set Sync Schedule page, select Synchronize Manually.
|
12. | Ensure
that Launch The Windows Server Update Services Administration Console
and Begin Initial Synchronization check boxes are cleared, and then
finish the installation.
|
13. | When
the installation completes, you should open the Update Services console
and investigate creating computer groups, creating auto-approval rules
and the reporting functionality of WSUS 3.0 SP1. This investigation will
help you develop plans to deploy WSUS within your environment.
|
▸ Exercise 2 SCE 2007 VHD
In this exercise, you
will configure the SCE VHD virtual machine and explore the update
features available in SCE 2007. To complete the practice, perform the
following steps:
1. | Log on to the System Center Essentials 2007 VHD virtual machine, using the username Administrator and the password Evaluation1.
|
2. | Use DCPROMO to promote the server to a domain controller (DC) of the new domain, fabrikam.internal, in a new forest, using the default settings.
|
3. | Configure
DNS locally on the server, and the Windows Installation Files can be
located in the C:\WindowsInstallationFiles\i386 folder. Use Evaluation1 as the restore mode password.
|
4. | When you have finished configuring the computer as a DC, double-click the Essentials Setup icon, located on the desktop.
|
5. | Start the installation by clicking Full Setup on the System Center Essentials 2007 Setup page.
|
6. | Complete
the installation process, accepting the default settings except on the
Installation Location page of the setup wizard, on which you should
select the Get Update Files From The Microsoft Update Website option, as
shown in Figure 8.
Use the Administrator account as the computer management account.
Finish the installation by choosing not to check for updates at this
time.
|
7. | Use the System Center Essentials Console to create computer groups named Testers, Accountants, and Research. Add the computer account for SCEVHDSERVER.fabrikam. internal to each of these groups.
|
8. | From
the Updates menu, select Configure Microsoft Update settings. Navigate
through the wizard, synchronizing with Microsoft Update and configuring
SCE 2007 to provide updates to Exchange Server, Microsoft Office, SQL
Server, and Windows. Accept all other default settings. |